Re: [TLS] Input on ECH specification
Eric Rescorla <ekr@rtfm.com> Sat, 17 February 2024 18:48 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E65D9C14F5EF for <tls@ietfa.amsl.com>; Sat, 17 Feb 2024 10:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQ5DvEs2l5gx for <tls@ietfa.amsl.com>; Sat, 17 Feb 2024 10:48:03 -0800 (PST)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64ED1C14F5E9 for <tls@ietf.org>; Sat, 17 Feb 2024 10:48:03 -0800 (PST)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-dcd7c526cc0so3422529276.1 for <tls@ietf.org>; Sat, 17 Feb 2024 10:48:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1708195682; x=1708800482; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VqwJwAVIN+mT4E1IZaY/C75tWTEIyWIcSZjoSOFROeU=; b=D/MFOqsXZcCeHq7kaaTRV06ClGeFC32aVSSrrHXpmBng7nRQG7H+avQPPieSqcEytT CpfGAZ/SJfuK7G7NXaE9+w6LKPV+mnhhdtSY7moDkh4hXHwZsBGwrA5zcIQbPfP2jv03 oTMZlLLcA9dJAm6XpFbfIXf0LyTyY1kblQpc9VSZrmN++kJQxLVeF4/GuNZy9JQeYBwX 2KB7bsJISmBcZRshY/vRbE53SQShv/YRdJwLc5+eb4N88YTzmxHeJa1xediqzybNucTx GXMwsgNqAnJ1sRUfff08ncrUJp9k33leelUrfKmWTFn//kMAhqtsmiVicypjx0Ft5XSy gbOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708195682; x=1708800482; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VqwJwAVIN+mT4E1IZaY/C75tWTEIyWIcSZjoSOFROeU=; b=aBgL1mODnwdyLSKfJ7MLMR36nkcoNits++r6JEVTNmk2OVtQBIe59oZxvfh+2HYOtO xwwa/H6FCO+o5+wERgoEYpHqDuWNPIiRdlBBBa/1g4iHV51ZaHbdBlzy+NKF+gFEMX6x C6UoJA311FiEXJ5me0i61eUrOy6kNJbuJFFdEQg908yj6S84d9bmhG3LCNBlReaH6f2k Nh55zk9J7pjW9+HogELYHWDBSl+16eJZfGVj9ng7CJDjCsT9+6+ftE1IcdArXsus/bD6 +Grj/qW6NGJijElAN/DmHv+0LyTmVyThB5XEiYZk57nZLRqqOXX+35+wbOHCGWBYfmy7 bXLg==
X-Gm-Message-State: AOJu0YwHgoXdhy+CPV5I0f7FcJFudO3Cx7tkmgX8Z2CsiNfohNcTIG5Y CPwtzifJxQ/VpoXIxwULN4j6KUAEFwtbkuV6LKdSaoSchUHQptfQJOfjNWsTiuloOAkS4iLDMxK QDkQty0hAq946jK7oIUfUvQvxfQsQNG78WFmyXJJYT8nzO+Z7Y0k=
X-Google-Smtp-Source: AGHT+IEF+9gJS3s77AgEJPpZ0CHPYalYYcxpIsEspVf4/HP2J8lkvbTZ1evQ0TASoAeTxhdLbS1tOHqJe2vBxRNErMc=
X-Received: by 2002:a25:9108:0:b0:dc7:4806:4fb with SMTP id v8-20020a259108000000b00dc7480604fbmr8289286ybl.8.1708195682339; Sat, 17 Feb 2024 10:48:02 -0800 (PST)
MIME-Version: 1.0
References: <CWXP265MB46815100B9E7A58D77168E9595452@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM>
In-Reply-To: <CWXP265MB46815100B9E7A58D77168E9595452@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 17 Feb 2024 10:47:25 -0800
Message-ID: <CABcZeBM-KXsxZtJoZOny0R2-VWOYuQC+hL3ycLqbzeC=vB4S2g@mail.gmail.com>
To: Elardus Erasmus <Elardus.Erasmus=40Sophos.com@dmarc.ietf.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da67e30611984c98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8pkb0PYPodMNioEMF7Vu98k2Wcw>
Subject: Re: [TLS] Input on ECH specification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Feb 2024 18:48:05 -0000
On Wed, Feb 7, 2024 at 2:06 PM Elardus Erasmus <Elardus.Erasmus= 40Sophos.com@dmarc.ietf.org> wrote: > Hi, > > I figured it would be better to send an email, rather than proposing and > discussing this on a PR (proposed edits/diffs are at the bottom of this > email). > > We have two suggestions regarding the specification text ( > https://datatracker.ietf.org/doc/draft-ietf-tls-esni/): > > *Suggestion 1* > > Make it clear that if an ECH extension is absent from the server_hello, it > qualifies as an ECH disabling signal. The text earlier in the section > already requires that “both authentication and the handshake complete > successfully” in the initial ECH-enabled connection, for ECH to be regarded > as disabled. The same (ECH disabling due to absent ECH ext from server) can > be deducted by reading a few paragraphs, but even then, it is not clear. > This makes it much clearer. > > In Section 6.1.6, change: > > If none of the values provided in "retry_configs" contains a supported > version, > or an earlier TLS version was negotiated, the client can regard ECH as > securely > disabled by the server, and it SHOULD retry the handshake with a new > transport > connection and ECH disabled. > > To: > > If none of the values provided in "retry_configs" contains a supported > version, > or an earlier TLS version was negotiated, *or the server did not supply > an* > *"encrypted_client_hello" extension in its EncryptedExtensions message,* > the > client can regard ECH as securely disabled by the server. It SHOULD retry > the handshake with a new transport connection and ECH disabled. > I agree with this. I have created PR #603 to address this: https://github.com/tlswg/draft-ietf-tls-esni/pull/603 > *Suggestion 2* > > Section 6.1.6 also mentions that: > > Clients SHOULD implement a limit on retries caused by receipt of > "retry_configs" > or servers which do not acknowledge the "encrypted_client_hello" extension. > > The text does not differentiate between *retry types* for the purpose of > limiting the connections. I.e., if the ECH config was replaced, then it is > an *ECH-enabled* retry (with new keys). But if ECH was disabled, then it > is an * ECH-disabled* retry. Limiting the connections makes sense for > *ECH-enabled* retries due to config replacement, since the connections > seem not be successful in any case and thus the extra load is not > necessary. But limiting it for *ECH-disabled* connections could mean that > connections may start failing abruptly, depending on the aggressiveness of > the limit on the client. As long as ECH-disabled connections succeed, they > should not be limited so that connectivity does not suffer unnecessarily. > I think I agree with you that we shouldn't limit > It would probably even be good/necessary to implement a *holdoff* on the > client in the *ECH-disabled* case. I.e., not making an ECH-enabled > connection to an SNI that resulted in ECH disabling for some duration of > time. Some scenarios where this would be desirable: > > - The ECH version steps. This will lead to ECH-disabled retries. > During DNS propagation time, the number of connections to client-facing > servers of ECH enabled sites will double (say a large CDN activates a > version step of all its sites all at once). Clients that limit retries > could experience connectivity issues, but clients that implement a holdoff > would mitigate the connection doubling problem in such a scenario. > - A server disables ECH temporarily or serves TLS 1.2. Again, ECH will > be securely disabled, and a connectivity loss may occur (retry limit). A > doubling in connections will be experienced until DNS propagation is > finished - or indefinitely in case of a config issue (e.g. server > administrator does not remove ECH config from DNS). > - Section 8.2 talks about middleboxes acting as TLS-terminating > proxies. All connections going through such proxies will result in ECH > being disabled (due to the ECH extension being absent from the > server_hello). Also leading to a possible connectivity loss, or at the very > least a permanent doubling in connections. > > The “connection doubling” in the scenarios above increases connection > establishment latency and adds load to the client, server, middlebox, and > other stateful network devices, and can be mitigated by a temporary holdoff > on ECH-enabled connections on the client. > > The proposal is therefore to change Section 6.1.6 from: > > If none of the values provided in "retry_configs" contains a supported > version, > or an earlier TLS version was negotiated, the client can regard ECH as > securely > disabled by the server, and it SHOULD retry the handshake with a new > transport > connection and ECH disabled. > > > > Clients SHOULD implement a limit on retries caused by receipt of > "retry_configs" > or servers which do not acknowledge the "encrypted_client_hello" > extension. If > the client does not retry in either scenario, it MUST report an error to > the > calling application. > > To: > > Clients SHOULD implement a limit* on ECH-enabled *retries caused by* the > secure* > *replacement of ECH keys by "retry_configs". If the client does not retry, > it* > *MUST report an error to the calling application.* > > > > If none of the values provided in "retry_configs" contains a supported > version, > or an earlier TLS version was negotiated*, or the server did not supply > an* > *"encrypted_client_hello" extension in its EncryptedExtensions message*, > the > client can regard ECH as securely disabled by the server. It SHOULD retry > the handshake with a new transport connection and ECH disabled. *If the > client* > *does not retry, it MUST report an error to the calling application.* > > > > *Clients SHOULD implement a holdoff on ECH-enabled connections to an SNI > for* > > *which ECH has been securely disabled. I.e., those connections made after > the* > > *ECH-disabled retry. Clients SHOULD still send a GREASE ECH extension (see* > > *{{grease-ech}}) for ECH-disabled connections made during the holdoff > period.* > See https://github.com/tlswg/draft-ietf-tls-esni/issues/604 for discussion on this. -Ekr > > Thanks, > > Elardus > > (suggested diffs to the specification below) > > @@ -852,10 +852,11 @@ If the server supplied an "encrypted_client_hello" > extension in its > > EncryptedExtensions message, the client MUST check that it is syntactically > > valid and the client MUST abort the connection with a "decode_error" alert > > otherwise. If an earlier TLS version was negotiated, the client MUST NOT > enable > > -the False Start optimization {{RFC7918}} for this handshake. If both > > -authentication and the handshake complete successfully, the client MUST > perform > > -the processing described below then abort the connection with an > "ech_required" > > -alert before sending any application data to the server. > > +the False Start optimization {{RFC7918}} for this handshake. > > + > > +If both authentication and the handshake complete successfully, the > client MUST > > +perform the processing described below then abort the connection with an > > +"ech_required" alert before sending any application data to the server. > > If the server provided "retry_configs" and if at least one of the values > > contains a version supported by the client, the client can regard the ECH > keys > > @@ -876,15 +877,21 @@ because the client will send cookies to the server > in parallel connections, > > using the retry configurations for these parallel connections does not > > introduce a new tracking vector. > > +Clients SHOULD implement a limit on ECH-enabled retries caused by the > secure > > +replacement of ECH keys by "retry_configs". If the client does not retry, > it > > +MUST report an error to the calling application. > > + > > If none of the values provided in "retry_configs" contains a supported > version, > > -or an earlier TLS version was negotiated, the client can regard ECH as > securely > > -disabled by the server, and it SHOULD retry the handshake with a new > transport > > -connection and ECH disabled. > > - > > -Clients SHOULD implement a limit on retries caused by receipt of > "retry_configs" > > -or servers which do not acknowledge the "encrypted_client_hello" > extension. If > > -the client does not retry in either scenario, it MUST report an error to > the > > -calling application. > > +or an earlier TLS version was negotiated, or the server did not supply an > > +"encrypted_client_hello" extension in its EncryptedExtensions message, the > > +client can regard ECH as securely disabled by the server. It SHOULD retry > > +the handshake with a new transport connection and ECH disabled. If the > client > > +does not retry, it MUST report an error to the calling application. > > + > > +Clients SHOULD implement a holdoff on ECH-enabled connections to an SNI > for > > +which ECH has been securely disabled. I.e., those connections made after > the > > +ECH-disabled retry. Clients SHOULD still send a GREASE ECH extension (see > > +{{grease-ech}}) for ECH-disabled connections made during the holdoff > period. > > ### Authenticating for the Public Name {#auth-public-name} > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Input on ECH specification Elardus Erasmus
- Re: [TLS] Input on ECH specification Stephen Farrell
- Re: [TLS] Input on ECH specification Elardus Erasmus
- Re: [TLS] Input on ECH specification Elardus Erasmus
- Re: [TLS] Input on ECH specification Eric Rescorla